Go beyond SOX for business continuity

Achieving SOX compliance does not ensure business resilience or continuity. There are extra steps you should take to make sure that your business is protected.

What you will learn from this tip: Achieving SOX compliance does not ensure business resilience or continuity. There are extra steps you should take to make sure that your business is protected.

As business continuity practitioners, we often hear from C-level managers that their organization is "in pretty...

good shape" from a business continuity or disaster recovery (DR) perspective, having just completed a Sarbanes-Oxley (SOX) compliance effort. After all, auditors evaluate the measures or controls in place to ensure transactional data is available if ever requested by a court of law. Many organizations depend on IT systems to access and store transactional data…in other words, data storage and backups.

The assumption that an organization is capable of business resumption because it has met SOX compliance requirements sometimes leads to a very unpleasant surprise following a major disaster. The SOX act was mostly designed to rebuild the investor community's confidence and protect them from negligent or fraudulent financial reporting by filers. The following are only some of the data storage and backup items not directly considered by auditors when reviewing IT controls (SOX, section 404). However, they are nonetheless essential elements of business continuity management (BCM):

Related information

Managing corporate records for Sarbanes-Oxley

What are some steps to making my storage SOX compliant?

Storage Clips: Infortrend unveils SAS array


Recovery time objective (RTO): Data protection alone does not ensure timely recovery. RTO for a given application is not an output of a regulatory compliance audit and data restore performance is not measured.

Recovery strategy: A SOX compliance audit offers little guidance as to whether tape backups, disk-to-disk backups or data replication will best meet your business' and application's specific requirements.

Contingency plan: SOX compliance does not require an organization to have a comprehensive, well-rehearsed and maintained contingency plan(s). In fact, DR and BCP are specifically named as being outside the scope of SOX compliance requirements.

Dependencies and recovery priorities: SOX is not necessarily concerned that a licensing server must first be restored and operational before an application can come up or that the data network must be available for backup data to be restored. The order in which applications are recovered is of no relevance unless it affects specific controls over security, availability or integrity of transactional data.

Lost revenue: SOX is concerned with data being recoverable, but not the time involved. Revenue losses resulting from a lengthy recovery are not directly considered.

Just as regulatory compliance, BCP must become part of a solid risk management program. Compliance alone does not ensure recoverability. From a storage perspective, the choice of technology and performance is not regulated beyond certain data security and integrity aspects; we are responsible for the design of data storage and backup strategies that meet your business' requirements. It is up to you to clearly document the recovery priority and procedures.

In retrospect, we can assume that out of the numerous Gulf Coast businesses that will never reopen after Hurricane Katrina, some may have been SOX compliant.

For more information:

Choosing a compliance archiving tool

About the author: Pierre Dorion is a certified business continuity professional for Mainland Information Systems Inc.
This was first published in November 2005

Dig Deeper on Secure data storage



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:



  • Tintri VMstore T5000

    Like all of its VM-aware storage systems, Tintri’s first all-flash array -- the Tintri VMstore T5000 -- allows admins to bypass ...

  • SolidFire SF9605

    The high-capacity SolidFire SF9605 uses SolidFire’s Element OS 8 (Oxygen) to deliver new enterprise features such as synchronous ...

  • HPE 3PAR StoreServ 20850

    HPE 3PAR StoreServ 20850 holds 1,024 solid-state drives (SSDs). Hewlett Packard Enterprise claims it can deliver more than three ...





  • Asigra Cloud Backup Version 13

    Asigra Cloud Backup Version 13 provides an AWS Elastic Block Store Snapshot Manager and the ability to support Docker container ...

  • Veeam Availability Suite v8

    Veeam Availability Suite v8 offers several key backup software components in one package, including Veeam Cloud Connect, Snapshot...

  • Druva inSync 5.5

    Druva inSync 5.5 endpoint backup software stands out with its proactive compliance, cloud app integration, full text search and ...